ADS DM Client Can Not Connect to Samba
John H Terpstra
jht at samba.org
Fri Oct 1 02:26:48 GMT 2004
Doug,
Thanks for the feedback. I'll summarize to this list my findings late
tomorrow. I tried samba-3.0.6, 3.0.7, 3.0.8pre1, 3.1.0SVN - all failed to
permit a Windows XPPro and Windows 2000Pro clients of an ADS domain to
connect to a Samba server that is an ADS domain member. I tried this with
Win2000 ADS as well as with Win2003 ADS. In all cases, when the client does a
SessionSetupX using kerberos credentials the samba server reply causes the
client to drop the connection. The client tries 3 times before giving up. It
then presents the user with a logon box. No valid username/password pair will
permit Samba server access.
Before reporting details I will verify on a newly installed environment.
- John T.
On Thursday 30 September 2004 16:19, Doug VanLeuven wrote:
> John H Terpstra wrote:
> >Jeremy/Folks,
> >
> >Can anyone decode what the cause of the following level 10 log fragment
> >might be?
> >
> >[2004/09/30 12:18:14, 3]
> >libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
> > ads_secrets_verify_ticket: enc type [3] failed to decrypt with error
> >Decrypt integrity check failed
>
> If one chases down KRB5KRB_AP_ERR_BAD_INTEGRITY in the kerberos lists,
> and check the krb5-1.3.4 code of a program like kinit, one ends up
> believing this is the krb5 way of saying incorrect password.
>
> For example, check lines 835-836 of kinit.c
> else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
> fprintf(stderr, "%s: Password incorrect while %s\n", progname,
>
> add to this that if multiple service principle entries exist in
> /etc/krb5.keytab with the same enctype only the first matching kvno and
> enctype will be used.
>
> There seems to be a consensus that this started with 2003 ADS and spread
> to 2000 server ADS.
>
> I have 2 machines out of 5 that hasn't generated this error in several
> days. 3 others do. Otherwise my 5 Samba 3.0.8pre1-SVN-build-2605 seem
> to be identically configured in global configs.
>
> Regards, Doug
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.
More information about the samba-technical
mailing list